How to split certain events to 2 different indexer...

tlow · ‎07-09-2014

Hi, want to split out certain eventid to 2 different indexers from a universal forwarder 6.1
could this work?
tried to create on 2 separated apps but it only took on the first one.

[WinEventLog://Security]
disabled=0
whitelist= Category="^Error"
index = Awindows

[WinEventLog://Security]
disabled=0
whitelist= Category="^Info"
index = Bwindows

want to see if i can control on the client side, and not on the indexer

martin_mueller · ‎07-09-2014

That approach doesn't work because you're essentially overwriting the same value from the second stanza - it has the same name so it's the same stanza.

You can rewrite the index value in transforms.conf:

[send_to_A_index]
REGEX = Category="Error"
DEST_KEY = _MetaData:Index
FORMAT = Awindows

[send_to_B_index]
REGEX = Category="Info"
DEST_KEY = _MetaData:Index
FORMAT = Bwindows

Then refer to those stanzas in props.conf:

[sourcetype, source, or host identifier]
TRANSFORMS-index = send_to_A_index,send_to_B_index

Usually these are on the indexer(s), and in most cases it's best to keep it that way. However, it's possible to use a heavy forwarder on the source host to have the HF do the parsing, filtering, etc.

How to split certain events to 2 different indexers from a 6.1 universal forwarder?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How to split certain events to 2 different indexers from a 6.1 universal forwarder?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside